Incident Response Methodology: The OODA Loop

Get the latest security news in your inbox.

An incident response methodology can be explained as a collection of procedures aimed at identifying, investigating and responding to potential security incidents in a way that minimizes impact and supports rapid recovery.

In this blog, we'll explain how to use the OODA Loop, developed by US Air Force military strategist John Boyd, to create your own incident response methodology. The OODA loop stands for Observe, Orient, Decide and Act.

The OODA Loop in Your Incident Response Methodology

Questions to Ask – What does normal activity look like on my network? How can I find and categorize events or user activity that aren’t normal? And which require my attention now? Finally, how can I fine-tune my security monitoring infrastructure?

Key Takeaways – In this phase of incident response methodology, the more observations you can make, and document, around your business operations and network, the more successful you’ll be at response and defense

Questions to Ask – Is your company preparing for a new software package or planning layoffs? Have you or anyone else in the wild seen attacks from this particular IP address before? Do you know what the root cause is? How large is the scope and impact?

Key Takeaways – In this phase of incident response methodology, it’s important to try and think like the attacker so that you can orient your defense strategies against the latest attack tools and tactics. These are always changing so make sure you have the latest threat intelligence for your security monitoring tools. This will ensure that your tools are capturing the right information and providing accurate context.

Questions to Ask – Once you have all the facts, then it’s time to ask yourself and your team how to act.

Key Takeaways – In this phase of incident response methodology, catalog all areas of your incident response process. Perhaps one of the most important areas to document here are communications around data collection and the decision-making process.

Questions to Ask – How can I quickly remedy the affected systems and get them back online? How can this be prevented in the future? What are ways that we can educate users so these things don’t happen again? Should we fine-tune our business process based on these lessons?

Key Takeaways – In this phase of incident response methodology, training, communication, and frequent improvement are important to success in reacting effectively during an incident. Everyone on your team should know their roles and what is expected of them Also, it’s recommended to keep up to date on security best practices and empower team members to speak up when they identify areas for improvement in your incident response methodology.

Note:

This blog was created from a section of the AlienVault Insider’s Guide to Incident Response eBook. To read or download the full eBook, visit: